S3允许来源访问
如果将限制终端节点的策略和限制公有ip的策略写在一起,并且这个公有ip是属于这个vpc内的,那么就会出现一个二者都不可以访问的现象,如果需要的话,只能允许指定的公有ip来进行访问,而不要加入限制终端节点的操作
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SourceIP",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::xxxx",
"arn:aws:s3:::xxxx/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "xxx.xxx.xxx.xxx/32"
}
}
}
]
}
|
如果只希望连接了终端节点的实例访问和外部主机访问,那么您就可以使用以下策略
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| {
"Sid": "VPCe",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": [
"arn:aws:s3:::xxxx",
"arn:aws:s3:::xxxx/*"
],
"Condition": {
"StringNotEquals": {
"aws:SourceVpce": "endpoint"
}
}
}
|
如果想让连接了终端节点的实例访问s3并且不属于这个vpc的外部主机也可以访问,可以使用以下策略
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SourceIP",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::xxxx",
"arn:aws:s3:::xxxx/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "xxx.xxx.xxx.xxx/32"
},
"StringNotEquals": {
"aws:SourceVpce": "endpoint"
}
}
}
]
}
|
如果只想让连接了终端节点的实例访问,那么就只能指定公有ip
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SourceIP",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::xxxx",
"arn:aws:s3:::xxxx/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "xxx.xxx.xxx.xxx/32"
}
}
}
]
}
|
